Using search result as object of another search in same query

kryshael — Wed, 27 Apr 2022 16:02:39 GMT

I am learning Splunk (early stages). I have been playing around with this search for the past 2 hours with little success.

I am running this query to get an ip address of the workstation this person is using:

index=fortinet* user=XXXX* | top limit=1 sip | table sip

I am trying to tie this search in with another index search ( index=wineventlog_pc ) and use that ip address as the source to find the actual name of the workstation being used.

Any help or insights would be awesome. Thank you

Re: Using search result as object of another search in same query

richgalloway — Wed, 27 Apr 2022 17:25:51 GMT

To use the results of a search in another search, use what Splunk calls a subsearch. Subsearches are enclosed by square brackets and execute first so the one that produces results runs as the subsearch. Those results become part of the main search.

Using the example searches from the OP:

index=wineventlog_pc [ | index=fortinet* user=XXXX* | top limit=1 sip | format ]

The fortinet index is searched first and the results are converted by the format command into "sip=foo". Then the main search becomes index=wineventlog_pc sip=foo. Of course, the two indexes must use the same field name ("sip", in this case). If the don't then the subsearch must rename the field to match the name used in the main search.

topic Using search result as object of another search in same query in Splunk Search

Using search result as object of another search in same query

Re: Using search result as object of another search in same query